Anatomy of a Rule Title Title of your rule , that allows to quickly identify the goal. This is the alert name. A rule consists of a set of detection fields that describes malicious events to identify Sigma is a tool used to identify patterns in log events using rules. Sigma is for log files what Snort is for network traffic and YARA is for files. Rule ID U niversally U nique Id entifier (UUID) https://www.uuidgenerator.net Relate d rule types : • derived: Rule derived from the referred rule • obsoletes: O bsoletes rule • merged: Rule was merged from the referred rules. • renamed: The rule had previously the referred identifier or identifiers but was renamed Status • stable : the rule may be used in production systems or dashboards. • test : rule that could require some fine tuning. • experimental : rule that could lead to false results Description Description of the current rule. Tags Tags from Mitre ATT&CK. • Use lower - case tags only • Replace space or hyphens with an underscor e Author Specify the author(s) of the rules. Date Used to specify date of rule creation. Log Source Identify the log source that trigger the rule. If there is not a single rule use the following: • product (e.g. linux, windows, cisco) • service (e.g. sysmon, ldapd, dhcp) • category (e.g. process_creation) Fields Use for the evaluation of certain events False Positives Describe possible false positives. @FrØgger_ Thomas Roccia References External link or document for the rules. This field must be a list. Level Indicates the level of the rules. • i nformational , c ritical , h igh , m edium , l ow Detection Used to trigger your detection using selection and condition. General • All values are case - insensitive strings • You can use wildcard characters '*' and '?' • Wildcards can be escaped with \ , e.g. \ *. • Regular expressions are case - sensitive FieldName FieldName defines the value in your logs. It can be a list linked with a logical 'OR'. : Or it can be a Dictionary consisting of key/value pairs. Lists of maps are joined with a logical 'OR'. All elements of a map are joined with a logical 'AND'. detection: keywords: - EVILSERVICE - svchost.exe - n evil detection: selection: - EventLog: Security EventID: - 517 - 1102 condition: selection Special Field Values • An empty value is defined with ' ' • A null value is defined with null detection: selection: EventID: 4738 filter: PasswordLastSet: null condition: selection and not filter Value Modifiers Value modifiers are appended with a pipe character | as separator • contains : the value is matched anywhere in the field. • all : This modifier links all value with AND. • base64 : The value is encoded with Base64. • base64offset : If a value appears in a base64 - encoded value the representation might change depending on the position in the overall value. • endswith : The value is expected at the end of the field's content • startswith : The value is expected at the beginning of the field's content. • utf16le : transforms value to UTF16 - LE • utf16be : transforms value to UTF16 - BE • wide : alias for utf16le modifier • re: value is handled as regular expression by backends Condition • Logical AND/OR ( keywords1 or keywords2 ) • 1/all of search - identifier o 1 (logical or across alternatives) o all (logical and across alternatives) • 1/all of them : Logical OR (1 of them) or AND (all of them) • 1/all of search - identifier - pattern : Same as 1/all of them but restricted to matching search identifiers. • Negation with 'not' ( keywords and not filters ) • Brackets : “ selection 1 and ” (keywords1 or keywords2) • N ear aggregation expression o near search - id - 1 [ [ and search - id - 2 | and not search - id - 3 ] ... ] • Operator Precedence : o | , or, a nd , n ot , x of search - identifier , (expression)